GuideRelay
Log inSign upStart workflow assessment
← Back to home

Privacy Policy

Last updated: June 21, 2026

This Privacy Policy explains how Hat Rack Group, LLC (“GuideRelay,” “we,” “us,” or “our”) handles information in connection with the GuideRelay service and website. GuideRelay is a business-to-business platform for Medicare insurance agencies; it is not directed to consumers or Medicare beneficiaries.

1. Our two roles: the most important thing to understand

GuideRelay handles information in two very different capacities:

  • As a Business Associate (your clients’ data). The client records, policy details, notes, and documents that an agency puts into the Service — including protected health information (“PHI”) about Medicare beneficiaries — are processed on the agency’s behalf and under its direction. We act as a HIPAA Business Associate for that data, and our Business Associate Agreement (BAA) with the agency, together with HIPAA, governs it. This Privacy Policy does not expand or override the BAA, and individuals with questions about their information should contact the agency that serves them (the “covered entity”).
  • As a Controller (the account and business data). For the information we collect to run our business — an agency’s account and contact details, billing data, website and product usage, and our communications with you — we act as a controller, and this Privacy Policy applies.

2. Information we collect

  • Account & agency information: agency/workspace name, the names and emails of Authorized Users, and authentication data (including multi-factor authentication enrollment).
  • Billing information: subscription plan and billing status. Card details are collected and stored by our payment processor (Stripe), not by us; we keep only opaque billing identifiers and no payment-card numbers.
  • Usage & device data: log data such as IP address, browser type, pages and features used, and timestamps, used to operate, secure, and improve the Service.
  • Communications: messages you send us (for example, support requests or feedback).
  • Customer Data (handled as a Business Associate): the client and policy information your agency enters, governed by the BAA as described in Section 1.

3. How we use information

We use the controller-role information above to:

  • provide, maintain, secure, and support the Service;
  • authenticate users and protect against fraud, abuse, and security incidents;
  • process subscriptions and billing;
  • respond to your requests and send service and administrative messages;
  • understand usage and improve features and reliability;
  • comply with law and enforce our agreements.

We do not sell personal information, and we do not use PHI for advertising or to train third-party AI models.

4. How we share information

We share information only as follows:

  • Subprocessors and service providers who help us run the Service under written confidentiality and data-protection terms — including Amazon Web Services (cloud hosting and AI inference, under AWS’s BAA) and Stripe (payment processing). PHI is shared only with subprocessors covered by an appropriate BAA.
  • At your direction — for example, with integrations you choose to enable.
  • For legal reasons — to comply with law, valid legal process, or to protect the rights, safety, and security of GuideRelay, our customers, or the public.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy and the BAA.

5. AI features and your data

Where you use AI-assisted features, the relevant context is processed to generate summaries or draft suggestions. We use AI providers that operate within our cloud security boundary and under contractual protections (including, for PHI, a BAA). We do not permit our AI providers to use Customer Data or PHI to train their general models, and AI output is assistive only, for review by a qualified person — see the Terms of Service.

6. How we protect information

We use safeguards designed for a compliance-sensitive business, including encryption in transit (TLS) and at rest, customer-managed encryption keys, multi-factor authentication, role-based access controls, strict per-tenant data isolation (each agency’s data is logically separated so one customer cannot access another’s), an append-only audit trail of access to and changes of records, and hosting on HIPAA-eligible cloud infrastructure. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond appropriately to incidents.

7. Data retention

We retain controller-role information for as long as your account is active and as needed for the purposes described here, then delete or de-identify it in the ordinary course, subject to legal and contractual retention requirements. Retention, return, and destruction of Customer Data and PHI are governed by the BAA and by the recordkeeping requirements that apply to your agency (including CMS retention rules).

8. Your choices and rights

Authorized Users may access and update their account information in the Service or by contacting us. Agencies control the Customer Data in their workspace and can export or request deletion of it, subject to the BAA. You can opt out of non-essential email at any time; service and security messages are required while you have an account. Because GuideRelay processes most individual-level information as a Business Associate, requests from individuals about their PHI should be directed to the agency that serves them; we will support that agency in responding as required by the BAA and HIPAA. Depending on your jurisdiction, you may have additional rights, which we will honor as required by applicable law.

9. Cookies

We use a small number of strictly necessary cookies to keep you signed in and to secure the Service. We do not use third-party advertising cookies in the application.

10. Children

The Service is intended for business use by adults (18+). It is not directed to children, and we do not knowingly collect information from children.

11. Where we operate

GuideRelay is operated from the United States and hosted on U.S.-based cloud infrastructure. If you access the Service from outside the United States, you understand that information will be processed in the United States.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or in-product notice), and the “Last updated” date above will change.

13. Contact

Questions about privacy? Contact us at privacy@hatrackgroup.com. For questions about a specific individual’s information held on an agency’s behalf, please contact that agency. See also our Terms of Service.